=== Limited Admin Role ===
Contributors: minhaz52
Tags: role, user role, woocommerce, access control, admin
Requires at least: 6.0
Tested up to: 6.9
Requires PHP: 7.4
Stable tag: 2.9.1
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Adds a custom "Admin Panel Manager" role with granular capability controls, per-plugin access rules, and a configurable session timeout.

== Description ==

**Limited Admin Role** adds a custom WordPress role called **Admin Panel Manager** that gives a user broad content and product management access — but blocks access to WooCommerce Orders, Customers, Users, and sensitive reports.

**Key Features:**

* 🔐 Granular capability grid — enable or disable every WordPress & WooCommerce capability from the settings UI, organized into 15 categories
* 🚫 Block WooCommerce Orders, Customers, Analytics, and WordPress Users (menu + URL + REST API)
* 🧩 Plugin Access Deny — per-plugin admin page blocking via a dedicated submenu
* 🔑 Plugins view-only — can see installed plugins list but cannot install/activate/deactivate/update/delete
* 🕐 Configurable session timeout (default 12 hours) — forces logout regardless of "Remember Me"
* ✅ Compatible with Rank Math, Yoast SEO, WooCommerce HPOS, and Cloudflare

**Capability Categories:**

* Core Access, Posts, Pages, Media, Appearance & Themes
* Plugins, Users, WordPress Updates
* WooCommerce Products, Orders, Coupons, Reports & Analytics, Settings, Customers
* Comments

== Installation ==

1. Upload the `limited-admin-role` folder to `/wp-content/plugins/` or install via **Plugins → Add New → Upload Plugin**.
2. Activate the plugin through the **Plugins** menu.
3. The **Admin Panel Manager** role is created automatically on activation.
4. Configure settings at **Limited Admin Role** in the WordPress admin sidebar.
5. Assign the role to users via **Users → Add New** or **Users → Edit User → Role**.

== Frequently Asked Questions ==

= How do I assign the role to a user? =

Go to **Users → Add New** and set the Role dropdown to **Admin Panel Manager**. Or edit an existing user and change their role.

= Can I change which capabilities are granted? =

Yes. Go to **Limited Admin Role → Settings → Capabilities tab**. Every capability is listed with a checkbox — check to grant, uncheck to deny. Changes apply immediately on save.

= How does the session timeout work? =

On login, the plugin records a timestamp. On every admin page load, it checks if the elapsed time exceeds the configured limit (default: 12 hours). If so, the session is destroyed and the user is redirected to the login page with a "Session expired" message. The auth cookie is also clamped so "Remember Me" cannot extend beyond the limit.

= Can the user install or activate plugins? =

No. Plugin installation, activation, deactivation, update, and deletion are always blocked. The user can view the installed plugins list (read-only). You can toggle even view access from the Capabilities tab (activate_plugins cap).

= How does Plugin Access Deny work? =

Go to **Limited Admin Role → Plugin Access Deny**. Every active plugin and its detected admin pages are listed. Check any pages to block them for the Admin Panel Manager role.

= Is it compatible with WooCommerce HPOS? =

Yes. Both the legacy `post_type=shop_order` URL and the new HPOS `page=wc-orders` URL are blocked.

= Does it work with Rank Math and Yoast SEO? =

Yes. Both plugins show their meta boxes to any user with `edit_posts` capability, which this role has by default.

== Screenshots ==

1. Settings page — General tab (session timeout, SEO plugin, role summary)
2. Settings page — Capabilities tab (categorized checkbox grid)
3. Settings page — Menu & URL Blocks tab (quick-toggle switches)
4. Plugin Access Deny submenu (per-plugin page blocking)
5. Plugins page as seen by the managed role (view-only, no action links)

== Changelog ==

= 2.3.0 =
* Fixed: Rank Math REST API calls (/wp-json/rankmath/v1/updateSettings) returning 403 — SEO plugin REST routes are now always whitelisted
* Fixed: manage_options is temporarily elevated during any SEO plugin REST request so save/update operations work correctly
* Improved: Capabilities tab now shows SEO plugin sections only when that plugin is actually installed — each setting as its own row, all defaulting to enabled
* Improved: Rank Math redirections, 404 monitor, analytics, site analysis — all individually controllable per row
* Improved: Yoast and AIOSEO caps similarly separated with all defaults on

= 2.2.0 =
* Fixed: Replaced inline &lt;style&gt; echo in access control with wp_add_inline_style() (WordPress.org requirement)
* Fixed: Replaced inline &lt;style&gt; and &lt;script&gt; in Plugin Access Deny page with wp_add_inline_style() and wp_add_inline_script() (WordPress.org requirement)
* Improved: Plugin Access Deny now uses explicit slug patterns for Rank Math, Yoast, AIOSEO, WooCommerce and other major plugins — all their admin pages reliably appear in the deny list
* Added: Author URI field in plugin header
* Updated: Contributors field in readme.txt

= 2.1.0 =
* Fixed: SEO plugins (Rank Math, Rank Math Pro, Yoast SEO, Yoast Premium, AIOSEO, AIOSEO Pro) now fully unrestricted — all caps pass through freely
* Added: SEO Plugins capability category with 15 caps across all supported plugins
* Added: Auto-detection of active SEO plugins shown on General tab
* Fixed: WordPress.Security.EscapeOutput errors (escaped $found with wp_kses, $bg with esc_attr)

= 2.0.0 =
* Added full capabilities registry with 15 categorized sections
* Added per-capability checkbox grid in settings UI
* Added Plugin Access Deny submenu for per-plugin admin page blocking
* Added Grant All / Deny All per category, search/filter, Restore Defaults
* Added toggle switches for quick access blocks
* Added unsaved-changes warning in settings
* Rebuilt settings page with tabbed UI
* All v1 features preserved

= 1.1.0 =
* Added plugin view-only mode (can see installed plugins list, all actions blocked)
* Added CSS hiding of plugin action links and bulk-action controls
* Removed Plugins menu from sidebar (now kept visible as read-only)

= 1.0.0 =
* Initial release
* Custom Admin Panel Manager role
* WooCommerce Orders, Customers, Users, Reports blocking
* 12-hour session timeout with configurable settings page
* REST API blocking for orders, customers, users
* Compatible with Rank Math, Yoast SEO, WooCommerce HPOS

== Upgrade Notice ==

= 2.0.0 =
Major update. After upgrading, visit Limited Admin Role → Settings → Capabilities to review and save your capability preferences. Existing block settings (Orders, Customers, Users, Reports) are preserved.

== License ==

This plugin is licensed under the GNU General Public License v2.0 or later.

Full license text: https://www.gnu.org/licenses/gpl-2.0.html
